Orbot Your Twitter!

In some ways, Twitter is the perfect application to run over the Tor network. It works with small bits of data, it is asynchronous, works naturally in a “store and forward” queue model, and in general, has a decent amount of default security built-in through HTTP/S support and OAuth. Compared to the problem-child of the open web, which often involves large websites, streaming video, flash embeds, and malicious javascript, Twitter is a nearly perfect candidate for use over a secure, anonymous (but sometimes high latency) network. Add to the fact that Twitter is often blocked or monitored in many countrieswho do not care for free speech and human rights, and it becomes almost a necessity that you use it with a service like Tor.

WARNING AND DISCLAIMER: Twitter for Android is proprietary, closed-source software. Details of the implementation of proxy support have not been publicly disclosed or audited by a third-party at this time. In particular, resolution of hostnames via DNS may not be properly routed through Tor (this is a common issue with proxied software). In addition, through other permissions that Twitter for Android may have you on your device, there may be a strong ability to correlate identity between your registered Google Account and your activities on Twitter.

UPDATE June 13, 2012: After a recent audit, we now recommend turning off the “Sync Data” option through Twitter’s Settings menu, under your registered Twitter account. This will stop push notifications from being sent, which are currently not handled by Orbot/Tor.

Install and activate Orbot, open Twitter, tap the gear icon on the home screen.

Check the “proxy” box, enter ‘localhost’ and ‘8118’.

Open your account settings, and disable the “Sync Data” option to stop push notifications which cannot be proxied through Orbot/Tor.

See the screenshots below for a full walkthrough, and please spread the word to those in need.

Orbot and Twitter now work together easily, thanks to new simple proxy settings feature in Twitter for Android

When you setup Orbot, your device does not need root or “superuser” access in order to work with Twitter, or with other apps like Gibberbot (Chat) or ORWeb (safe web access)

Orbot by default provides an HTTP proxy server on “localhost” and port 8118

In the Twitter app account sign in screen, click the small gear icon to open proxy settings

Enable the proxy, set Proxy Host to ‘localhost’ and Proxy Port to ‘8118’

Post navigation

73 comments for “Orbot Your Twitter!”

Whilst all the above is good and true, people shouldn’t make the mistake of thinking this means that they can access their anonymous Twitter account this way.

Has it been tested to make sure it doesn’t leak DNS and doesn’t fall back to non-proxy activity under any circumstances? Has the protocol been sniffed to make sure there is no information sent over the communication channel such as the users location or IP address, or the phones IMEI or phone number etc?

Thanks for the rightful concern, Mike. I think the excitement of Twitter adding this feature is beginning to be mitigated by the lack of clarity around how it was done. We’ve added a disclaimer to the post. In addition, we are working on a more formal audit.

One thing we have already discovered is that there is a push notification mechanism that utilizes the internal Google push mechanism for Android (non SMS), to notify of new Tweets. It is likely this is not proxied. In general, since most Android devices are entirely registered and tracked through a Google identity, if a user is looking for anonymity or some sort of identity protection, it is recommended to use a clean or separate Google account to power an Android device.

We hope/expect that developers will follow the best practices we’ve laid out in our ORlib project sample code, with regards to how HTTP or SOCKS proxying is implemented, but even within that context, and Java itself, there is lack of clarity in how, for example, a hostname String in a java.net.* package class could be turned into an IP Address.

An interesting thing to note, is that most Android devices have a statically configured DNS setting pointing at Google DNS (8.8.8.8 etc).

I tested the instruction above in Twidere, the FOSS twitter an status.net client ad It worked like a charm. Thank you and please add a note that using Free software is recommended when there is security wonders.

As you noted one priblem is that most android devices are tracked by google. So why are the tor apps not availanle through Amazon? And why is orweb the only one that can’t be installed on a sd card? I was thinking that if we had an anonymous Amazon account used only for apps and digital priducts (you can use giftcards and prepaid debit cards) then loaded all the privacy apps on a sd card. All you would have to do when travelling and subject to search is take the card out. Reset the device without any tor or privacy apps in evidence.

Sounds like something isn’t quite right with your setup. First, make sure that Orbot is running and says that it is connected to the tor network. Second, double-check your proxy settings in the Twitter app.

Do I set up from my mobile Twitter app OR do I need to sign in and change proxy thru the web?
I can easily change thru mobile Twitter BUT thru web I cannot see the capcha words to authenticate. Is it OK to use with my WI-FI? Lastly is there a way to be SURE I’ve set it up correctly? A test to do or place to look to see what is showing as IP address? Thank you!